Yesterday (Monday, October 16th, 2017) a major Wi-Fi vulnerability was announced that affects absolutely every device that supports Wi-Fi. The vulnerability allows attackers to decrypt WPA2 connections. The Wi-Fi vulnerability is being called “KRACK”, which is short for Key Reinstallation Attacks. A second vulnerability also emerged yesterday, called “ROCA”, which involves public key encryption and the mechanism used to identify the validity of software installations.

In both cases, software patches will correct the vulnerabilities. It is important to install patches as they become available for any involved devices, which are many. Most important for Android users: Install any available software and security patches as quickly as possible.

The WPA2 Wi-Fi Vulnerability (“KRACK”)

WPA2 is a protocol that secures all modern protected Wi-Fi networks. The security protocol, an upgrade from WEP, is used to protect and secure communications between everything from our routers, mobile devices, and Internet of Things (IoT) devices, but there is an issue in the system’s four-way handshake that permits devices with a pre-shared password to join a network. According to statistics by Wigle.net, it secures 60% of the world’s Wi-Fi networks.

The vulnerability is in the Wi-Fi standard itself, and not in individual products or their implementations. That means that all products that correctly implement the WPA2 standard are affected.

According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device.

Vanhoef notified US-CERT, several months ago, who then informed vendors ahead of the public disclosure to give them time to prepare patches and prevent the vulnerability from being exploited in the wild — of which there are no current reports of this bug being harnessed by cyberattackers.

The Wi-Fi Alliance said in a statement that it “now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.” That should help keep new devices safe, but does little for those already on the market.

“It’s a problem in the core design of how keys are managed and integrity is assured,” says Kenneth White, director of the Open Crypto Audit Project. “When every Wi-Fi client is vulnerable to some of these flaws, the standard is underspecified (and flawed). There will be many millions of internet connected devices that will likely never get fixed.”

For consumers and users, immediate actions like changing Wi-Fi password or installing a new router won’t protect against KRACK attacks. The manufacturers and software developers will release patches and firmware updates for some devices, over time. For some older or low-end devices, patches and firmware updates may never be available. This will be especially problematic for certain IoT devices and consumer grade wifi routers.

For now, users should still use WPA2. Its protections are still worth the risk that someone might be exploiting KRACK somewhere nearby. The best thing you can do to protect yourself is to install updates for as many of your devices as possible as soon as they come out, and make sure you only share sensitive data on sites that use HTTPS encryption. For large institutions, the key is architecting networks with multiple layers of protection, so data security doesn’t hinge on any one standard.

Microsoft deployed a patch for this issue last week, in their recent security update, and Apple has identified that they’d already patched for this issue. For our clients with Ubiquity and Mikrotik devices, patches are available via software/firmware update. Most of the other hardware vendors have not yet released a patch. Information about updates and the process for patching common hardware devices is listed below.

Ubiquity:
Ubiquity has relased a Krack WPA2 vulerability fix for all devices. Implementation of the firmware fix is a manual process and must be performed on each device.
Firware fix is:
[FIRMWARE] 3.9.3.7537 for UAP/USW has been released
To upgrade Ubiquity device:
First perform a regular firware upgrade by clicking the “Upgrade” button for the device. This upgrades the device to the current default firware.
(As of today’s date, this will likely be 3.8.14.6780 for most devices.
Then, perform a custom upgrade to install the 3.9.3.7537 firware.
Visit:
https://community.ubnt.com/t5/UniFi-Updates-Blog/FIRMWARE-3-9-3-7537-for-UAP-USW-has-been-released/ba-p/2099365
Copy the link for the appropriate firmware
For example:
https://dl.ubnt.com/unifi/firmware/U7PG2/3.9.3.7537/BZ.qca956x.v3.9.3.7537.171013.1101.bin
Paste into the “Custom Upgrade” path in the device configuration and then click the “Custom Upgrade” button.

Mikrotik:
Mikrotik has released a Krack WAP2 vulernability fix for all devices. Implementation of the RouterOS and RouterBoard Firmware fixes requires manual updates on each device.
RouterOS Fix is: ver 6.40.4 (Oct 2, 2017)
This is a two step process
First:
RouterOS Upgrade:
Use Winbox to access the routerOS
System -> Packages (likely 6.23 through 6.38.3 for current hardware)
“Check for Updates” 6.40.4 (Oct 2, 2017)
“Download and Install”
Second:
RouterBOARD Firmware Upgrade:
Next step after the RouterOS upgrade is firmware (bootloader) upgrade.
Open Winbox and go to “System/Routerboard” menu (step 1 and 2 from image below).
New window “Routerboard” will pop up, where you can see current and latest available firmware.
Click on “Update” button to upgrade to 3.43
System->Reboot

upgrade
Asus:
-No fixes/patches available at this time.

Linksys/Cisco:
-No fixes/patches available at this time.

Bell Modem/Routers
-No fixes/patches available at this time.

Rogers Modem/Routers
-No fixes/patches available at this time.

Cogeco Modem/Routers
-No fixes/patches available at this time.

Public Key Encryption Vulnerability (“ROCA”)

Another vulnerability known as “ROCA” was also announced on Monday. This vulnerability involves an attack on public key encryption which may weaken the way we authenticate software when installing it. It affects many other systems that rely on public/private key encryption and signing. Fixing this also requires you to update your devices using vendor-released software updates, so keep an eye out for security updates for your devices and workstations that fix any ROCA-related issues.